Post navigation

You read a ton of articles nagging you about your passwords, most particularly in these iPhone-been-BUSTED! days.

They’ve got to have uppercase letters, lowercase letters, numbers, weird symbols, flanges, Rustoleum, and should optimally be double-jointed… or something like that.

You’ve got a strong password. At least you think you’ve got a strong password, but how to know for sure? You could run it through a password strength-o-matic meter!

What could possibly go wrong?

That’s what Adrienne Porter Felt from the Google Chrome security team asked on Tuesday, when she came across a CNBC article about password security that asked users to type in their passwords to check how secure they were:

According to PC World’s Jeremy Kirk, copies of the passwords went to companies including Google’s DoubleClick advertising service and Scorecard Research, an online marketing company that’s part of comScore.

And that bit about the meter not storing passwords: according to Kane York, who works on the Let’s Encrypt project, traffic analysis showed the tool was actually storing the passwords in a Google Docs spreadsheet.

THIS is what could possibly go wrong

CNBC’s intentions were good: to teach people the importance of a strong, unique password, but getting it right is harder than it looks.

Good password strength meters, such as the highly rated zxcvbn used by Dropbox and WordPress, test your password using client-side code that runs entirely in your browser so the password being tested doesn’t leave your device.

The strength meter used by CNBC apparently used server-side code though, which meant that passwords were sent over the internet to a server and the results sent back.

Private data like passwords should always be sent over the web using HTTPS, the encrypted form of HTTP, so that you know where it’s being sent and that it isn’t compromised on the way.

The CNBC article sent passwords “in the clear,” leaving them open to interception and manipulation.

Even with an HTTPS connection server-side checking is still a bad idea though; the passwords might travel to their destination safely but you’ll never know what happens to them when they get there.

CNBC made things worse by sending unencrypted passwords to their server as a parameter in the page’s URL, which meant that anything else that the URL was shared with, such as 3rd party advertisers and web analytics providers, got a copy of the password being tested too.

The passwords may also have ended up being stored in HTTP log files on the destination server too.

And finally, even if you find yourself using a password strength meter that gets everything right and doesn’t send your password anywhere, you should apply a heavy dose of salt to anything it tells you about your password.